chore(deps): update dependency storybook to v9.1.19 [security]#891
chore(deps): update dependency storybook to v9.1.19 [security]#891ham-renovate wants to merge 1 commit intomainfrom
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: defaults Review profile: CHILL Plan: Pro ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughStorybook devDependency was upgraded from major version 8 to 9 in two package.json files. No functional changes, API, or control-flow modifications were introduced. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@infrastructure/eid-wallet/package.json`:
- Line 81: The Storybook dependency versions are inconsistent and do not ensure
the patched release addressing CVE-2026-27148; update the package.json entries
so all Storybook packages use the same patched version (at least 9.1.19) to
avoid major/minor skew. Specifically, change the top-level "storybook"
dependency and every `@storybook/`* entry in this package and in
platforms/pictique/client/package.json to the identical version spec (e.g.,
"9.1.19"), then reinstall (npm/yarn) and verify package-lock / yarn.lock
reflects the unified version and run a security audit to confirm the CVE is
resolved.
In `@platforms/pictique/client/package.json`:
- Line 43: The package.json currently mixes "storybook": "^9.0.0" with
`@storybook/`* packages at ^8.6.12, causing an incompatible major-version
mismatch; update all Storybook packages to a consistent 9.x line (recommend
9.1.19 or later) by changing versions for `@storybook/addon-essentials`,
`@storybook/blocks`, `@storybook/svelte`, `@storybook/sveltekit`, and `@storybook/test`
to 9.1.19 (or later) and remove the now-consolidated packages
`@storybook/addon-essentials` and `@storybook/blocks` from devDependencies (since
core "storybook" 9.x includes them) to resolve the incompatibility and address
CVE-2026-27148.
ℹ️ Review info
Configuration used: defaults
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (2)
infrastructure/eid-wallet/package.jsonplatforms/pictique/client/package.json
| "playwright": "^1.51.1", | ||
| "postcss": "^8.5.3", | ||
| "storybook": "^8.6.7", | ||
| "storybook": "^9.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# First check if the package.json file exists and show its Storybook dependencies
echo "=== Checking infrastructure/eid-wallet/package.json ==="
if [ -f "infrastructure/eid-wallet/package.json" ]; then
cat infrastructure/eid-wallet/package.json | python3 - <<'PY'
import sys, json
data = json.load(sys.stdin)
dev = data.get("devDependencies", {})
sb = {k: v for k, v in dev.items() if k == "storybook" or k.startswith("@storybook/")}
print("Storybook-related dependencies:")
for k, v in sorted(sb.items()):
print(f" {k}: {v}")
PY
else
echo "File not found"
fi
echo ""
echo "=== Checking for lock files ==="
fd -a 'pnpm-lock.yaml|package-lock.json|yarn.lock' | head -20
echo ""
echo "=== Checking lock file for storybook versions ==="
if [ -f "pnpm-lock.yaml" ]; then
echo "Found pnpm-lock.yaml"
rg -i 'storybook.*9\.0|@storybook.*8\.6' pnpm-lock.yaml | head -30 || echo "No direct matches found"
fiRepository: MetaState-Prototype-Project/prototype
Length of output: 874
🏁 Script executed:
# Check the actual lines in the file
if [ -f "infrastructure/eid-wallet/package.json" ]; then
echo "=== Lines around 59-65 and 81 in package.json ==="
wc -l infrastructure/eid-wallet/package.json
echo ""
echo "Lines 55-70:"
sed -n '55,70p' infrastructure/eid-wallet/package.json
echo ""
echo "Lines 78-85:"
sed -n '78,85p' infrastructure/eid-wallet/package.json
fiRepository: MetaState-Prototype-Project/prototype
Length of output: 1106
🏁 Script executed:
# Check if other package.json mentioned in review exists
if [ -f "platforms/pictique/client/package.json" ]; then
echo "=== platforms/pictique/client/package.json Storybook dependencies ==="
sed -n '1,100p' platforms/pictique/client/package.json | grep -A 1 -B 1 '"storybook\|"@storybook' || echo "No storybook dependencies found"
fi
echo ""
echo "=== Searching for all package.json files ==="
fd -t f 'package\.json$' | head -20
echo ""
echo "=== Checking for lock files ==="
fd -t f '(pnpm-lock\.yaml|package-lock\.json|yarn\.lock)$'Repository: MetaState-Prototype-Project/prototype
Length of output: 1553
🌐 Web query:
CVE-2026-27148 Storybook 9.1.19 security update
💡 Result:
CVE-2026-27148 (Storybook) — fixed in Storybook 9.1.19
- What it is: A WebSocket hijacking issue in the Storybook dev server (used by
storybook dev) that can allow an attacker to send unauthorized WebSocket messages (no Origin validation) and potentially achieve persistent XSS or RCE via unsanitized input (e.g.,componentFilePath) in story create/save handlers. Production builds are not impacted. [1][2] - When it’s exploitable: If a developer visits a malicious website while their local dev server is running; risk is higher if the dev server is exposed publicly. [1][2]
- Fixed versions: Upgrade to one of
7.6.23,8.6.17,9.1.19, or10.2.10(depending on your major). [1][2]
Recommended update (for Storybook 9)
- Upgrade Storybook packages to
9.1.19(keep allstorybook/@storybook/*on the same version). [1]- Practical approach: run the Storybook upgrade tool and target
9.1.19(Storybook documents usingnpx storybook@... upgrade). [3]
- Practical approach: run the Storybook upgrade tool and target
Extra mitigations (if you can’t upgrade immediately)
- Don’t expose the dev server to untrusted networks; avoid running it publicly for demos/reviews, and be cautious about browsing untrusted sites while it’s running. [1][2]
Sources: GitHub Security Advisory GHSA-mjf5-7g4m-gx5w (CVE-2026-27148) [1], OSV CVE record [2], Storybook upgrade docs [3].
[1] (github.com)
[2] (osv.dev)
[3] (storybook.js.org)
Citations:
- 1: GHSA-mjf5-7g4m-gx5w
- 2: https://osv.dev/vulnerability/CVE-2026-27148?utm_source=openai
- 3: https://storybook.js.org/docs/releases/upgrading/?utm_source=openai
Storybook dependencies have version skew and do not enforce the security floor required by CVE-2026-27148.
The storybook: "^9.0.0" constraint does not guarantee the patched version (9.1.19), and this file keeps @storybook/* packages on ^8.6.7, creating a major/minor version mismatch. Per the CVE-2026-27148 security advisory for the WebSocket hijacking vulnerability in the dev server, all Storybook packages must remain on the same version. The same issue affects platforms/pictique/client/package.json (which has @storybook/* at ^8.6.12).
Suggested fix
- "@storybook/addon-essentials": "^8.6.7",
- "@storybook/addon-interactions": "^8.6.7",
- "@storybook/blocks": "^8.6.7",
- "@storybook/experimental-addon-test": "^8.6.7",
- "@storybook/svelte": "^8.6.7",
- "@storybook/sveltekit": "^8.6.7",
- "@storybook/test": "^8.6.7",
+ "@storybook/addon-essentials": "^9.1.19",
+ "@storybook/addon-interactions": "^9.1.19",
+ "@storybook/blocks": "^9.1.19",
+ "@storybook/experimental-addon-test": "^9.1.19",
+ "@storybook/svelte": "^9.1.19",
+ "@storybook/sveltekit": "^9.1.19",
+ "@storybook/test": "^9.1.19",
@@
- "storybook": "^9.0.0",
+ "storybook": "^9.1.19",📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "storybook": "^9.0.0", | |
| "storybook": "^9.1.19", |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@infrastructure/eid-wallet/package.json` at line 81, The Storybook dependency
versions are inconsistent and do not ensure the patched release addressing
CVE-2026-27148; update the package.json entries so all Storybook packages use
the same patched version (at least 9.1.19) to avoid major/minor skew.
Specifically, change the top-level "storybook" dependency and every `@storybook/`*
entry in this package and in platforms/pictique/client/package.json to the
identical version spec (e.g., "9.1.19"), then reinstall (npm/yarn) and verify
package-lock / yarn.lock reflects the unified version and run a security audit
to confirm the CVE is resolved.
| "prettier-plugin-svelte": "^3.3.3", | ||
| "prettier-plugin-tailwindcss": "^0.7.0", | ||
| "storybook": "^8.6.12", | ||
| "storybook": "^9.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n platforms/pictique/client/package.json | head -50Repository: MetaState-Prototype-Project/prototype
Length of output: 2030
🌐 Web query:
Storybook 9.0.0 compatibility with @storybook packages version alignment requirements
💡 Result:
Storybook 9.0.0 compatibility / @storybook/* version-alignment rules
- Don’t mix major versions: If you’re on Storybook 9.0.0, keep Storybook dependencies on 9.x (avoid combinations like
storybook@9with@storybook/*@8, which can lead to “mismatched versions” problems the upgrade/doctor flow explicitly checks for). [3][5] - Prefer upgrading as a set: Use the upgrade tool, which updates “all Storybook packages” together and then runs
storybook doctorto catch common issues like duplicated deps, incompatible addons, and mismatched versions. [3] - Many
@storybook/*packages were consolidated into the singlestorybookpackage in v9 (and some were removed). If you still list removed/consolidated packages, you should migrate imports to the newstorybook/...export paths. [1][2] - Addon authors (peer deps): For Storybook 9, addons should generally depend on
storybook(not a long list of@storybook/*packages) and setpeerDependencies: { "storybook": "^9.0.0" }so the addon uses the host project’s Storybook version and avoids duplicate Storybook copies. [2] - Packages that became empty in Storybook 9:
@storybook/addon-essentials,@storybook/addon-interactions,@storybook/addon-links, and@storybook/blocksare empty since Storybook 9 and should be removed from dependencies (they’re not published going forward). [4]
Practical recommendation for a SB 9.0.0 app: keep storybook and your framework package (e.g. @storybook/react-vite, @storybook/angular, etc.) on the same 9.x line, run npx storybook@9 upgrade, and fix anything npx storybook doctor reports about mismatched versions. [3]
Sources
[1] Storybook migration guide (8 → 9): package consolidation/removals and new import paths
[2] Addon migration guide for Storybook 9.0: dependency/peerDependency guidance (storybook as peer dep)
[3] Storybook “Upgrading” docs: upgrade upgrades all Storybook packages together + doctor checks mismatched versions
[4] Addon migration guide for Storybook 10.0: notes specific packages are empty since Storybook 9
[5] storybook doctor diagnostics categories: includes version mismatches/peer-dep issues
🌐 Web query:
CVE-2026-27148 Storybook security vulnerability patch version
💡 Result:
For CVE-2026-27148 (Storybook dev server WebSocket hijacking), the vulnerability is fixed in:
- 7.6.23
- 8.6.17
- 9.1.19
- 10.2.10 (upgrade to this or any later version in the same major line) [1][2]
Align Storybook packages: storybook 9.0.0 mixed with @storybook/ 8.6.12 is incompatible.*
Line 43 specifies "storybook": "^9.0.0" while @storybook/addon-essentials, @storybook/blocks, @storybook/svelte, @storybook/sveltekit, and @storybook/test remain on ^8.6.12. This major version mismatch is unsupported and can cause runtime issues. Additionally, @storybook/addon-essentials and @storybook/blocks were consolidated into storybook 9 and should be removed from devDependencies. Upgrade all Storybook packages to 9.1.19 (or later in the 9.x line) to patch CVE-2026-27148 and remove the consolidated packages.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@platforms/pictique/client/package.json` at line 43, The package.json
currently mixes "storybook": "^9.0.0" with `@storybook/`* packages at ^8.6.12,
causing an incompatible major-version mismatch; update all Storybook packages to
a consistent 9.x line (recommend 9.1.19 or later) by changing versions for
`@storybook/addon-essentials`, `@storybook/blocks`, `@storybook/svelte`,
`@storybook/sveltekit`, and `@storybook/test` to 9.1.19 (or later) and remove the
now-consolidated packages `@storybook/addon-essentials` and `@storybook/blocks` from
devDependencies (since core "storybook" 9.x includes them) to resolve the
incompatibility and address CVE-2026-27148.
ham-renovate
force-pushed
the
renovate/npm-storybook-vulnerability
branch
from
b1b1bb6 to
e520dc5
Compare
1 participant
This PR contains the following updates:
^8.6.12→^9.0.0^8.6.7→^9.0.09.1.17→9.1.19GitHub Vulnerability Alerts
CVE-2026-27148
Summary
The WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted.
Details
Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction.
If a Storybook dev server is intentionally exposed publicly (e.g. for design reviews or stakeholder demos) the risk is higher, as no malicious site visit is required. Any unauthenticated attacker can send WebSocket messages to it directly.
The vulnerability affects the WebSocket message handlers for creating and saving stories, which can be exploited via unauthorized WebSocket connections to achieve persistent XSS or Remote Code Execution (RCE).
Note: recent versions of Chrome have some protections against this, but Firefox does not.
Impact
This vulnerability can lead to supply chain compromise. Key risks include:
Affected versions
8.1 and above. While the exploitable functionality was introduced in 8.1, the patch has been applied to 7.x as a precautionary measure given the underlying WebSocket behaviour.
Recommended actions
Update to one of the patched versions:
7.6.23,8.6.17,9.1.19,10.2.10.Release Notes
storybookjs/storybook (storybook)
v9.1.19Compare Source
9.1.19
v9.1.18Compare Source
9.1.18
v9.1.17Compare Source
9.1.17
v9.1.16Compare Source
experimental_devServerpreset - #32862, thanks @yannbf!v9.1.15Compare Source
preview-first-loadtelemetry - #32770, thanks @shilman!vite-plugin-storybook-nextjs- #32821, thanks @ndelangen!v9.1.14Compare Source
play-fntag for methods - #32695, thanks @shilman!v9.1.13Compare Source
v9.1.12Compare Source
v9.1.11Compare Source
sb.mockusage in Storybook's deployed in subpaths - #32678, thanks @valentinpalkovic!v9.1.10Compare Source
v9.1.9Compare Source
HTMLAttributesdocgen when using utility types - #32173, thanks @steciuk!v9.1.8Compare Source
nodeentry point - #32534, thanks @ndelangen!v9.1.7Compare Source
vite-plugin-storybook-nextjsto 2.0.7 - #32331, thanks @k35o!@ts-expect-errorin preview - #32442, thanks @mrginglymus!v9.1.6Compare Source
create-storybook- #32344, thanks @shilman!v9.1.5Compare Source
satisfies x as ysyntax - #32169, thanks @diagramatics!v9.1.4Compare Source
docgenoption to disable docgen processing - #32319, thanks @copilot-swe-agent!@sveltejs/vite-plugin-sveltev6 - #32320, thanks @JReinhold!v9.1.3Compare Source
v9.1.2Compare Source
entry.polyfillsundefined error - #32230, thanks @sk-pub!v9.1.1Compare Source
experimental_devServerpreset - #32862, thanks @yannbf!v9.1.0Compare Source
Storybook 9.1 is packed with new features and improvements to enhance accessibility, streamline testing, and make your development workflow even smoother!
🚀 Improved upgrade command with monorepo support for seamless upgrades
🅰 Angular fixes for Tailwind 4, cache busting, and zoneless compatibility
🧪
sb.mockAPI and Automocking: one-line module mocking to simplify your testing workflow🧪 Favicon shows test run status for quick visual feedback
⚛️ Easier configuration for React Native projects
🔥 Auto-abort play functions on HMR to avoid unwanted side effects
🏗️ Improved CSF factories API for type safe story definitions
♿️ A11y improvements across Storybook’s UI — addon panel, toolbar, sidebar, mobile & more
💯 Dozens more fixes and improvements based on community feedback!
List of all updates
extendAPI, portable stories - #30601, thanks @kasperpeulen!react-element-to-jsx-string- #31170, thanks @7rulnik!project.jsonfor getAbsolutePath - #31510, thanks @ndelangen!v9.0.18Compare Source
v9.0.17Compare Source
stories.tsxfiles - #32041, thanks @ghengeveld!v9.0.16Compare Source
sbCLI by explicitly exportingbin/index.cjsfromstorybookpackage - #31922, thanks @ghengeveld!v9.0.15Compare Source
v9.0.14Compare Source
vitepeerDependencies range to include7.0.0- #31859, thanks @ghengeveld!v9.0.13Compare Source
v9.0.12Compare Source
v9.0.11Compare Source
v9.0.10Compare Source
v9.0.9Compare Source
userEvent.setup()- #31730, thanks @ghengeveld!v9.0.8Compare Source
--skip-installfailing missing packageJson invariant - #31720, thanks @JReinhold!v9.0.6Compare Source
v9.0.5Compare Source
<wrapper ...>- #31639, thanks @JReinhold!toSatisfy-matcher implementation - #31664, thanks @ndelangen!v9.0.4Compare Source
v9.0.3Compare Source
v9.0.2Compare Source
v9.0.1Compare Source
v9.0.0Compare Source
Storybook 9.0 is here
This is a huge release focused on testing and bundle size.
Please checkout our Migration guide to upgrade from earlier versions of Storybook. To see a comprehensive list of changes that went into 9.0, you can refer to the 9.0 prerelease changelogs
List of all updates
linkPathto Axe results and use it in copy link action - #31009, thanks @ghengeveld!layout: centeredin conjunction withinline: false- #31430, thanks @ghengeveld!@storybook/experimental-addon-testto@storybook/addon-vitest- #31014, thanks @valentinpalkovic!vitest.projects.tsfile as workspace file during postinstall - #31565, thanks @ghengeveld!elementparameter withcontext- #31036, thanks @JReinhold!storybook-staticfrom coverage reports - #31005, thanks @JReinhold!staticDir- #31340, thanks @JReinhold!addon-docs- #31488, thanks @JReinhold!missingStorybookDependenciesfor 9.0 - #30769, thanks @ndelangen!Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.